08 Mar Business data losses approach stimulus spending

The mounting annual trillion-dollar risk to businesses from corporate information loss and consumer data leakage gains perspective through the comparable magnitude of the federal stimulus package. The costs, liabilities and risks of lost, stolen, inappropriately accessed and improperly disposed information are astronomical and growing.
In the Information age, data is a valued asset or currency as well as a toxic byproduct that can threaten competitive advantage and the personal right to privacy, if misused. Information theft and data pollution should be a concern of everyone. But it is not, because of a lack of awareness.
The ethical and legal consequences of safeguarding information assets and eliminating data pollution is little more than unfamiliar to 25 million small and micro-sized organizations — call it, the micro sector. For many, adopting computer technology and related practices into business processes began in the 1990’s or earlier, long before laws and standards required information security best practices.
Many technology vendors and service providers are akin to the micro sector. They too facilitate risks to information assets and the generation of data pollution. For example, many micro sector organizations rely on local computer technology specialists to install, update, service and maintain technology. These technically capable entrepreneurs often evolve their technical skills from home-computing or micro-sector experiences. Often, they have little or no information security know-how to provide compliant solutions that safeguard client assets and mitigate data pollution.
Today the informal adaptation of information technology often continues with little concern for privacy and information security laws and best practices. Risks and liabilities continue to mount in organizations. Valuable intellectual property walks out the door, is thrown in dumpsters, is accessed through Web sites or conveniently hacked. Employees and consumers are often put at risk without a hint that their most precious asset, their identity, is up for grabs.
An uniformed indifference towards privacy and information security is common in the micro sector. Regardless, leaders have an ethical and fiduciary responsibility to protect sensitive information regardless of prevailing laws.
For example, I recently discovered that some if not many counties in Wisconsin and throughout the nation allow access to certain public records over their Web sites for a fee or free. These imaged public records often have Social Security Numbers (SSNs) visible.
Digital imaging became an effective technical solution to manage public records before the threat of identity theft became an epidemic and public concern. Many public documents imaged over the last 20 or 30 years had SSNs printed on them.
Only now are state laws and procedures being adopted to preclude SSNs from document images. Some state laws do not address cleaning up the data pollution created in the previous decades of document imaging. Don’t the custodians of these records have the ethical responsibility to redact sensitive information such as SSNs before they are available to the public?
The Social Security Numbers on these imaged documents are an example of data pollution. Such publicly accessible documents are information asset containing SSN toxins.
Unrestricted access to such documents on the Web facilitates SSN harvesting and identity theft by anyone — terrorists in Afghanistan, fraudsters in Zimbabwe, stolen document dealers in Chicago and undocumented aliens in Abilene. Pilfered SSNs are used to perpetrate a wide variety of identity theft crimes including medical identity theft; perpetrating crimes under the SSN of an innocent person; obtaining false government identification such as driver’s licenses and passports to elude law enforcement or to facilitate acts of terrorism; and for various types of identity fraud — financial, account, employment, Social Security benefits, tax and insurance.
There are often simple solutions to privacy and information security, especially for the micro-sector. For example, redaction technologies can remediate imaged documents by removing the toxins — the SSNs. The process renders an untainted public record available for all to view without undue risk to the subject.
I just completed a comprehensive analysis of data breaches attributed to the private, public and volunteer sectors over the last four years. One conclusion is that the micro sector significantly under reports data breaches. The reason is simple, lack of awareness. Many data breaches go undetected. And many detected go unreported because of the lack of awareness about reporting requirements. For example, Wisconsin’s Breach Notification law has been effective for nearly three years. Yet wide varieties of organizations and professionals that I’ve interviewed are quick to admit they are not aware of the law.
In the study, I estimate that data breaches are under reported by a factor of 100. I attribute this factor to a general lack of awareness of privacy and information security fundamentals in the micro sector.
Information technology will continue to change how we do business, how we live and how we play in positive and delightful ways. But unless we raise the awareness of security and privacy issues associated with information technology in all sectors, the losses and risks to business and government and to our right to privacy will also continue to rise.

Dr. Joe Campana is a certified identity theft, privacy and information security professional. He is the author of the book, Privacy MakeOver: The Essential Guide to Best Practices, a do-it-yourself guide for small organizations. Campana blogs regularly in, PrivacyDiary, a blog that focuses on identity theft, privacy and information security issues that are relevant to small businesses and other small organizations, their owners, managers and employees. He is an information security consultant with J. Campana & Associates, which tracks data breaches in Wisconsin and beyond.
The opinions expressed herein or statements made in the above column are solely those of the author, and do not necessarily reflect the views of the Wisconsin Technology Network, LLC. (WTN). WTN, LLC accepts no legal liability or responsibility for any claims made or opinions expressed herein.